Actions Supported by Policy-based Authorization
This section describes the actions supported by DDS in policy-based authorization.
Supported Actions
DDS provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations
- APIs: REST APIs that can be called by a user who has been granted specific permissions
- Actions: specific operations that are allowed or denied in a custom policy
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?
DDS supports the following actions in custom policies:
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating a DB instance |
POST /v3/{project_id}/instances |
dds:instance:create vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:ports:get |
√ |
√ |
|
Querying DB instances |
GET /v3/{project_id}/instances?id={id}&name={name}&mode={mode}&datastore_type={datastore_type}&vpc_id={vpc_id}&subnet_id={subnet_id}&offset={offset}&limit={limit} |
dds:instance:list |
√ |
√ |
|
Deleting a DB instance |
DELETE /v3/{project_id}/instances/{instance_id} |
dds:instance:deleteInstance |
√ |
√ |
|
Restarting a DB instance |
POST /v3/{project_id}/instances/{instance_id}/restart |
dds:instance:reboot |
√ |
√ |
|
Scaling up storage space of a DB instance |
POST /v3/{project_id}/instances/{instance_id}/enlarge-volume |
dds:instance:extendVolume |
√ |
√ |
|
Adding nodes for a cluster instance |
POST /v3/{project_id}/instances/{instance_id}/enlarge |
dds:instance:extendNode vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:ports:get |
√ |
√ |
|
Changing the instance class |
POST /v3/{project_id}/instances/{instance_id}/resize |
dds:instance:modifySpec |
√ |
√ |
|
Performing a primary/secondary switchover in a replica set instance |
POST /v3/{project_id}/instances/{instance_id}/switchover |
dds:instance:switchover |
√ |
√ |
|
Enabling or disabling SSL |
POST/v3/{project_id}/instances/{instance_id}/switch-ssl |
dds:instance:modifySSL |
√ |
√ |
|
Changing a DB instance name |
PUT /v3/{project_id}/instances/{instance_id}/modify-name |
dds:instance:modify |
√ |
√ |
|
Changing a database port |
POST /v3/{project_id}/instances/{instance_id}/modify-port |
dds:instance:modifyPort |
√ |
√ |
|
Changing a security group |
POST /v3/{project_id}/instances/{instance_id}/modify-security-group |
dds:instance:modifySecurityGroup |
√ |
√ |
|
Binding an EIP |
POST /v3/{project_id}/nodes/{node_id}/bind-eip |
dds:instance:bindPublicIp |
√ |
√ |
|
Unbinding an EIP |
POST /v3/{project_id}/nodes/{node_id}/unbind-eip |
dds:instance:unbindPublicIp |
√ |
√ |
|
Changing the private IP address of a DB instance |
POST /v3/{project_id}/instances/{instance_id}/modify-internal-ip |
dds:instance:modifyVIP |
√ |
√ |
|
Enabling shard or config IP address for a cluster instance |
POST /v3/{project_id}/instances/{instance_id}/create-ip |
dds:instance:createIp |
√ |
√ |
|
Querying AZs to which an instance can be migrated |
GET /v3/{project_id}/instances/{instance_id}/migrate/az |
dds:instance:migrate |
√ |
√ |
|
Migrating a DB instance to another AZ |
POST /v3/{project_id}/instances/{instance_id}/migrate |
dds:instance:migrate |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Querying sessions of an instance node |
GET /v3/{project_id}/nodes/{node_id}/sessions |
dds:instance:session |
√ |
√ |
|
Killing sessions of an instance node |
POST /v3/{project_id}/nodes/{node_id}/session |
dds:instance:session |
√ |
√ |
|
Querying the number of connections to an instance node |
GET /v3/{projectId}/instances/{instance_id}/conn-statistics |
dds:instance:list |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating a manual backup |
POST /v3/{project_id}/backups |
dds:instance:createManualBackup |
√ |
√ |
|
Deleting a manual backup |
DELETE /v3/{project_id}/backups/{backups_id} |
dds:backup:delete |
√ |
√ |
|
Querying backups |
GET /v3/{project_id}/backups?instance_id={instance_id}&backup_id={backup_id}&backup_type={backup_type}&offset={offset}&limit={limit}&begin_time={begin_time}&end_time={end_time}&mode={mode} |
dds:backup:list |
√ |
√ |
|
Querying an automated backup policy |
GET /v3/{project_id}/instances/{instance_id}/backups/policy |
dds:instance:list |
√ |
√ |
|
Configuring an automated backup policy |
PUT /v3/{project_id}/instances/{instance_id}/backups/policy |
dds:instance:modifyBackupPolicy |
√ |
√ |
|
Restoring data to a new DB instance |
POST /v3/{project_id}/instances |
dds:instance:create vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get vpc:ports:get |
√ |
√ |
|
Obtaining the link for downloading a backup |
GET /v3/{projectId}/backups/download-file |
dds:backup:download |
√ |
√ |
|
Querying restoration time ranges |
GET /v3/{project_id}/instances/{instance_id}/restore-time |
dds:instance:list |
√ |
√ |
|
Obtaining the list of databases that can be restored |
GET /v3/{project_id}/instances/{instance_id}/restore-database |
dds:instance:list |
√ |
√ |
|
Obtaining the list of database collections that can be restored |
GET /v3/{project_id}/instances/{instance_id}/restore-collection |
dds:instance:list |
√ |
√ |
|
Restoring data to the original DB instance |
POST /v3/{project_id}/instances/recovery |
dds:backup:refreshInstanceFromBackup |
√ |
√ |
|
Restoring databases and tables to a point in time |
POST /v3/{project_id}/instances/{instance_id}/restore/collections |
dds:backup:refreshInstanceFromBackup |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Obtaining parameter templates |
GET /v3/{project_id}/configurations |
dds:param:list |
√ |
√ |
|
Creating a parameter template |
PUT /v3/{project_id}/configurations |
dds:param:create |
√ |
√ |
|
Deleting a parameter template |
DELETE /v3/{project_id}/configurations/{config_id} |
dds:param:delete |
√ |
√ |
|
Obtaining details about a parameter template |
GET /v3/{projectId}/configurations/{configId} |
dds:param:list |
√ |
√ |
|
Modifying a parameter template |
PUT /v3/{project_id}/configurations/{config_id} |
dds:param:modify |
√ |
√ |
|
Applying a parameter template |
PUT /v3/{project_id}/configurations/{config_id}/apply |
dds:instance:modifyParameter |
√ |
√ |
|
Obtaining parameters of a specified DB instance |
GET /v3/{project_id}/instances/{instance_id}/configurations |
dds:param:list |
√ |
√ |
|
Modifying parameters of a specified DB instance |
PUT /v3/{project_id}/instances/{instance_id}/configurations |
dds:instance:modifyParameter |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Querying slow query logs of a DB instance |
GET /v3/{project_id}/instances/{instance_id}/slowlog |
dds:instance:list |
√ |
√ |
|
Obtaining the link for downloading slow query logs |
POST /v3/{project_id}/instances/{instance_id}/slowlog-download |
dds:instance:list |
√ |
√ |
|
Querying error logs of a DB instance |
GET /v3/{project_id}/instances/{instance_id}/errorlog |
dds:instance:list |
√ |
√ |
|
Obtaining the link for downloading error logs |
POST /v3/{project_id}/instances/{instance_id}/errorlog-download |
dds:instance:list |
√ |
√ |
|
Configuring an audit log policy |
POST /v3/{project_id}/instances/{instance_id}/auditlog-policy |
dds:instance:modifyAuditLogSwitch |
√ |
√ |
|
Querying the audit log policy |
GET /v3/{project_id}/instances/{instance_id}/auditlog-policy |
dds:instance:list |
√ |
√ |
|
Querying the audit log list |
GET /v3/{project_id}/instances/{instance_id}/auditlog |
dds:instance:list |
√ |
√ |
|
Obtaining the link for downloading audit logs |
POST /v3/{project_id}/instances/{instance_id}/auditlog-links |
dds:instance:downloadAuditLog |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Adding or deleting resource tags in batches |
POST /v3/{project_id}/instances/{instance_id}/tags/action |
dds:instance:modify |
√ |
√ |
|
Querying resource tags |
GET /v3/{project_id}/instances/{instance_id}/tags |
dds:instance:list |
√ |
√ |
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Creating a database user |
POST /v3/{project_id}/instances/{instance_id}/db-user |
dds:instance:createDatabaseUser |
√ |
√ |
|
Creating a database role |
POST /v3/{project_id}/instances/{instance_id}/db-role |
dds:instance:createDatabaseRole |
√ |
√ |
|
Deleting a database user |
DELETE /v3/{project_id}/instances/{instance_id}/db-user |
dds:instance:deleteDatabaseUser |
√ |
√ |
|
Deleting a database role |
DELETE /v3/{project_id}/instances/{instance_id}/db-role |
dds:instance:deleteDatabaseRole |
√ |
√ |
|
Changing the password of a database user |
PUT /v3/{project_id}/instances/{instance_id}/reset-password |
dds:instance:resetPasswd |
√ |
√ |
|
Querying database users |
GET /v3/{project_id}/instances/{instance_id}/db-user/detail? offset ={offset}&limit={limit}&user_name={user_name }&db_name={db_name} |
dds:instance:get |
√ |
√ |
|
Querying database roles |
GET /v3/{project_id}/instances/{instance_id}/db-roles?role_name={role_name}&db_name={db_name}&offset={offset}&limit={limit} |
dds:instance:get |
√ |
√ |
|
Querying and setting the cluster balancer |
GET /v3/{project_id}/instances/{instance_id}/balancer PUT /v3/{project_id}/instances/{instance_id}/balancer/{action} PUT /v3/{project_id}/instances/{instance_id}/balancer/active-window |
dds:instance:balancer |
√ |
√ |
The check mark (√) indicates that the action takes effect. The cross mark (x) indicates that the action does not take effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
